The Department of Justice and FBI have taken down the Coreflood botnet. Not …

Share this story

Past efforts at killing botnets—the large networks of computers running malicious software to send spam, flood websites with traffic, and steal personal data—have managed to disable the networks by taking down important servers, but they've always stopped short of actually killing the botnet software itself. That's because the companies behind these efforts have no more legal authority to run unauthorized software on users' machines than the botnet owners do—to remove the botnet software would make them just as guilty of hacking as the bad guys are.

The result is that while efforts such as Microsoft's disruption of the Waledac and Rustock botnets were successful, they were far from perfect. These efforts left the malicious software running on the infected PCs—they just removed the command and control servers, the centralized machines that tell the botnet what to do. Should the bot herders regain control of the domain names or IP addresses used by the command-and-control servers, the infected machines will be able to successfully connect to them, and the networks will once again spring into life.

A new Justice Department attack will go some way towards solving that problem, at least for the botnet known as "Coreflood." A federal judge has authorized the non-profit Internet Systems Consortium, working in conjunction with the FBI, to go beyond taking down the command-and-control servers: the ISC has installed its own command-and-control servers. The command the servers are sending? Kill the botnet malware. The servers were swapped out on Tuesday evening, and the kill command was duly sent.

The kill command still stops short of removing the malware altogether—each time an infected PC is rebooted it will try to restart the botnet software. But every time, the new command and control servers will tell the software to shut down, preventing it from causing any more harm.

In tandem with this effort, Microsoft has updated its Malicious Software Removal Tool to enable it to remove the Coreflood malware itself. Some users will likely receive this tool through Windows Update, but to ensure greater reach, the new command and control servers will record every IP address that tries to reach the command and control servers. This IP address information will be used to inform ISPs that machines are infected. In turn, the ISPs will inform their end users, and provide information on where to get the MSRT.

Users will also be able to opt out of the entire process, if they would prefer to let the malware continue to run on their PCs.

Coreflood was a particularly nasty botnet. Rather than merely sending spam, it stole banking and other financial information from infected systems. This harvested information was then sent to the command-and-control servers, and according to court filings, allowed criminals to steal hundreds of thousands of dollars from victims. The Coreflood software has been around since 2003, receiving regular updates in an effort to keep one step ahead of anti-malware software. It started out as a regular trojan—a program that masquerades as something useful but which actually does something harmful—before gaining botnet capabilities in 2009. Over the course of its life, more than two million machines were infected.

Though this aggressive move is likely to be effective in combatting the botnet, not everyone is convinced that it's an appropriate path to go down. Speaking to Wired, Electronic Frontier Foundation technology director Chris Palmer described it as an "extremely sketchy action to take," warning that "you don’t know what's going to happen for sure. You might blow up some important machine."

Aggressive as it was, other nations have gone further to fight the botnet menace. Last year, Dutch and Armenian law enforcement made a joint effort to kill off the Bredolab botnet. In this case, the Dutch authorities installed their own command-and-control servers, using them to distribute a program to infected computers that would redirect users to a website giving specific information on how to disinfect their computers. This seemed to work well, with authorities reporting more than 100,000 visits to the site.

There's no word yet on how effective the Justice Department's plan has been. If manual outreach proves effective then there may be no need to go one step further as the Dutch did. But if persistent infections continue to be an issue—as they are with Rustock and Waledac—then American law enforcement may well be tempted to take more proactive measures against the botnets, in spite of the concerns this raises.